FELIX-6846 Add SNI configuration support for Jetty 12#522
Conversation
paulrutter
commented
Jun 24, 2026
- Add three new config properties: org.apache.felix.https.sslContext.sniRequired (TLS level, default false) org.apache.felix.https.ssl.sniRequired (HTTP level, default false) org.apache.felix.https.ssl.sniHostCheck (HTTP level, default true)
- Wire sslContext.sniRequired into SslContextFactory.Server.setSniRequired()
- Wire ssl.sniRequired and ssl.sniHostCheck into SecureRequestCustomizer
- Register all three in ConfigMetaTypeProvider
- Document all three in http/README.md
- Add three new config properties: org.apache.felix.https.sslContext.sniRequired (TLS level, default false) org.apache.felix.https.ssl.sniRequired (HTTP level, default false) org.apache.felix.https.ssl.sniHostCheck (HTTP level, default true) - Wire sslContext.sniRequired into SslContextFactory.Server.setSniRequired() - Wire ssl.sniRequired and ssl.sniHostCheck into SecureRequestCustomizer - Register all three in ConfigMetaTypeProvider - Document all three in http/README.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- JettySniIT verifies org.apache.felix.https.ssl.sniRequired=true: hostname connections send SNI and receive 200 OK, IP address connections omit SNI (RFC 6066) and receive 400 Bad Request - Add SNI property table to http/jetty12/README Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Regenerate test-keystore.p12 with SAN (dns:localhost, ip:127.0.0.1) so Jetty's sniHostCheck can validate the certificate properly - JettySniIT: disable sniHostCheck to isolate sniRequired behaviour; hostname connection (SNI sent) -> 200, IP connection (no SNI) -> 400 - JettySniHostCheckIT: tests sniHostCheck=true (default); matching Host header -> 200, mismatched Host header -> 400 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The OpenJDK TLS stack does not send SNI for non-domain names such as "localhost", so the previous JettySniIT hostname case never sent SNI and was rejected. Use Jetty's NON_DOMAIN_SNI_PROVIDER to force SNI when a positive (SNI present) result is expected. - JettySniIT (org.apache.felix.https.ssl.sniRequired, HTTP level): SNI sent -> 200, no SNI -> 400 Bad Request - JettySniContextRequiredIT (org.apache.felix.https.sslContext.sniRequired, TLS level): SNI sent -> 200, no SNI -> TLS handshake failure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Enabling HTTPS via ConfigAdmin happens after initial startup and restarts Jetty, briefly unregistering the HttpService. Reading the secure port from the service reference could hit a null reference (NPE). Await the service with Awaitility before reading the port in all three SNI integration tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This existing property (default false) was missing from the properties table. When true, the server waits for a Configuration Admin configuration before starting instead of starting immediately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The SNI properties are already documented in the main http/README.md properties table; the jetty12 README addition was unnecessary. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@cziegeler any feedback on the new Felix properties? |
|
Sorry for the late response, I guess we do not really have consistency across property names. However, the new ones have "require.config" but then "sniRequired" - so maybe we should at least align these, maybe "config.required" and "sni.required" |
|
Thanks Carsten, agreed on aligning the new ones. Since
This keeps the three SNI properties consistent with each other (the host-check flag isn't a "require", so it fits the |
|
yes, makes sense. thanks! |
Per review feedback, rename the new SNI properties for consistency: - org.apache.felix.https.sslContext.sniRequired -> sslContext.sni.required - org.apache.felix.https.ssl.sniRequired -> ssl.sni.required - org.apache.felix.https.ssl.sniHostCheck -> ssl.sni.hostCheck Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>